Oracle file permissions

A Security Readiness Review (SRR) script was run against our servers operating system and several STIG violations related to Oracle directories were found.
These files are listed below:

-rwsr-s--- 1 oracle dba 2986436 Mar 31 14:12 dbsnmp
-r-sr-s--- 1 oracle dba 11784 Oct 14 2004 oradism
-rwsr-s--x 1 oracle dba 65422428 Mar 31 16:53 oracle
-rwsr-s--x 1 oracle dba 65357392 Mar 31 14:13 oracleO
-rwSr----- 1 oracle dba 1536 Apr 12 01:06 orapwriacurw
-rwSr----- 1 oracle dba 1536 Apr 12 01:20 orapwriacutm

I am not familiar with how SUID and SGID works. Do these files have a sticky
bit set on them? The security team says that the permissions are a sticky bit violation and that they need to be changed (i.e. remove the s). My concern is  whether or not changing these permission to satisfy them will cause certain  processes not to run or break anything in Oracle. If these permission settings must remain this way then I have to supply a written justification. Can someone provide and explanation, guidance, and/or recommendation for this issue?
sikyalaSenior Database AdministratorAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

TintinCommented:
None of the files have a sticky bit set.

If they had a sticky bit, it would look like:

-rwsr-s--t 1 oracle dba 2986436 Mar 31 14:12 dbsnmp

Sticky bits are most commonly used on directories.  /tmp is a prime example where its permissions are 1777 (drwxrwxrwt).  The sticky bit prevents users deleting files in /tmp that aren't owned by them even though there is group write permission.

I really hope your security team knows the difference between sticky and suid and guid bits.

Essentially the permissions allow any user who is in the 'dba' group to be able to access and run most (not all) things that the 'oracle' user can.  If you don't have any users in the dba group, then you could possibilly change permissions
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
yuzhCommented:
-rwsr-s--x 1 oracle dba 65422428 Mar 31 16:53 oracle
it is the correct permission.

to make sure when oracle is running as user pracle and group dba.

To learn more details about "SUID, SGID, and Sticky Bits", please read
http://www.unix.org.ua/orelly/networking/puis/ch05_05.htm
http://www.zzee.com/solutions/unix-permissions.shtml

If a script or program has permssions like:
-rwsr-s--x 1 root root  65422428 Mar 31 16:53 someapp

then you need to pay attention on what's someapp for.
0
yuzhCommented:
I can't see any valid reason to "Delete/NO refund" for this question.

Our comments lead to the answer of the question.

Have a nice weekend to all of you.

0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Unix OS

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.